The branch, master has been updated
via d5cbfbb... s4:ntlmssp: remove mem_ctx from check_password()
callback to match s3
via f31d144... s4:ntlmssp_server: always call ntlmssp_server_postauth()
and decide there if it's a noop
via 994d34b... s4:ntlmssp_server: don't use a mem_ctx for
ntlmssp_server_auth()
via 3f04b60... s4:ntlmssp_server: don't use mem_ctx in
auth_ntlmssp_check_password()
via 7d4692f... s4:ntlmssp_server: clear session key in
ntlmssp_server_preauth()
via dea4560... s4:ntlmssp: use data_blob_null in ntlmssp_server_auth()
via 60b9434... s4:ntlmssp_server: remove unused variable
via a8e61ac... s4:auth/ntlmssp: let get_challenge() return a NTSTATUS
and fill a stack buffer
via c9b6ad2... s3:ntlmssp: change get_challange() to return NTSTATUS
from fbb59b2... dsdb: Fix dependencies when building against system ldb.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d5cbfbb93a1718b3031f37a62e350a2cd7ab0bdc
Author: Stefan Metzmacher <[email protected]>
Date: Tue Dec 29 16:14:05 2009 +0100
s4:ntlmssp: remove mem_ctx from check_password() callback to match s3
metze
commit f31d144e70c632892ffc7d5177789947e821ad7e
Author: Stefan Metzmacher <[email protected]>
Date: Tue Dec 29 16:10:57 2009 +0100
s4:ntlmssp_server: always call ntlmssp_server_postauth() and decide there
if it's a noop
metze
commit 994d34b949cd68b692ca688f162652c924732e84
Author: Stefan Metzmacher <[email protected]>
Date: Tue Dec 29 16:07:16 2009 +0100
s4:ntlmssp_server: don't use a mem_ctx for ntlmssp_server_auth()
metze
commit 3f04b60fb9051f65074316b7704793759f4cbdf7
Author: Stefan Metzmacher <[email protected]>
Date: Tue Dec 29 16:02:00 2009 +0100
s4:ntlmssp_server: don't use mem_ctx in auth_ntlmssp_check_password()
metze
commit 7d4692fa43fd84a8251231781fba7f3f9e46c30b
Author: Stefan Metzmacher <[email protected]>
Date: Tue Dec 29 15:54:59 2009 +0100
s4:ntlmssp_server: clear session key in ntlmssp_server_preauth()
metze
commit dea456089a7838219e7819bfb04a98e03f3d0002
Author: Stefan Metzmacher <[email protected]>
Date: Tue Dec 29 12:58:44 2009 +0100
s4:ntlmssp: use data_blob_null in ntlmssp_server_auth()
metze
commit 60b9434492423d463bd1a43d84b5084dce980ecb
Author: Stefan Metzmacher <[email protected]>
Date: Tue Dec 29 13:53:44 2009 +0100
s4:ntlmssp_server: remove unused variable
metze
commit a8e61ac084fc84fe9b1246ab97f0ca34cd9a0e8a
Author: Stefan Metzmacher <[email protected]>
Date: Tue Dec 29 10:44:19 2009 +0100
s4:auth/ntlmssp: let get_challenge() return a NTSTATUS and fill a stack
buffer
metze
commit c9b6ad25004caab854cf6301faa472bb5c890a71
Author: Stefan Metzmacher <[email protected]>
Date: Tue Dec 29 11:57:28 2009 +0100
s3:ntlmssp: change get_challange() to return NTSTATUS
metze
-----------------------------------------------------------------------
Summary of changes:
source3/auth/auth_ntlmssp.c | 5 +-
source3/include/ntlmssp.h | 4 +-
source3/libsmb/ntlmssp.c | 11 +++-
source4/auth/ntlmssp/ntlmssp.h | 4 +-
source4/auth/ntlmssp/ntlmssp_server.c | 104 ++++++++++++++-------------------
5 files changed, 58 insertions(+), 70 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index f95a235..4243a24 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -28,13 +28,14 @@
* @return an 8 byte random challenge
*/
-static void auth_ntlmssp_get_challenge(const struct ntlmssp_state
*ntlmssp_state,
- uint8_t chal[8])
+static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state
*ntlmssp_state,
+ uint8_t chal[8])
{
AUTH_NTLMSSP_STATE *auth_ntlmssp_state =
(AUTH_NTLMSSP_STATE *)ntlmssp_state->auth_context;
auth_ntlmssp_state->auth_context->get_ntlm_challenge(
auth_ntlmssp_state->auth_context, chal);
+ return NT_STATUS_OK;
}
/**
diff --git a/source3/include/ntlmssp.h b/source3/include/ntlmssp.h
index f30b53f..d3de598 100644
--- a/source3/include/ntlmssp.h
+++ b/source3/include/ntlmssp.h
@@ -74,8 +74,8 @@ struct ntlmssp_state
* @return 8 bytes of challenge data, determined by the server to be
the challenge for NTLM authentication
*
*/
- void (*get_challenge)(const struct ntlmssp_state *ntlmssp_state,
- uint8_t challenge[8]);
+ NTSTATUS (*get_challenge)(const struct ntlmssp_state *ntlmssp_state,
+ uint8_t challenge[8]);
/**
* Callback to find if the challenge used by NTLM authentication may be
modified
diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
index aaa5031..7fffe7c 100644
--- a/source3/libsmb/ntlmssp.c
+++ b/source3/libsmb/ntlmssp.c
@@ -112,10 +112,11 @@ void debug_ntlmssp_flags(uint32 neg_flags)
*
*/
-static void get_challenge(const struct ntlmssp_state *ntlmssp_state,
- uint8_t chal[8])
+static NTSTATUS get_challenge(const struct ntlmssp_state *ntlmssp_state,
+ uint8_t chal[8])
{
generate_random_buffer(chal, 8);
+ return NT_STATUS_OK;
}
/**
@@ -493,6 +494,7 @@ static NTSTATUS ntlmssp_server_negotiate(struct
ntlmssp_state *ntlmssp_state,
const char *target_name;
struct NEGOTIATE_MESSAGE negotiate;
struct CHALLENGE_MESSAGE challenge;
+ NTSTATUS status;
/* parse the NTLMSSP packet */
#if 0
@@ -525,7 +527,10 @@ static NTSTATUS ntlmssp_server_negotiate(struct
ntlmssp_state *ntlmssp_state,
ntlmssp_handle_neg_flags(ntlmssp_state, neg_flags, lp_lanman_auth());
/* Ask our caller what challenge they would like in the packet */
- ntlmssp_state->get_challenge(ntlmssp_state, cryptkey);
+ status = ntlmssp_state->get_challenge(ntlmssp_state, cryptkey);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
/* Check if we may set the challenge */
if (!ntlmssp_state->may_set_challenge(ntlmssp_state)) {
diff --git a/source4/auth/ntlmssp/ntlmssp.h b/source4/auth/ntlmssp/ntlmssp.h
index f596cb8..7bed54d 100644
--- a/source4/auth/ntlmssp/ntlmssp.h
+++ b/source4/auth/ntlmssp/ntlmssp.h
@@ -81,7 +81,8 @@ struct gensec_ntlmssp_state
* @return 8 bytes of challenge data, determined by the server to be
the challenge for NTLM authentication
*
*/
- const uint8_t *(*get_challenge)(const struct gensec_ntlmssp_state *);
+ NTSTATUS (*get_challenge)(const struct gensec_ntlmssp_state *,
+ uint8_t challenge[8]);
/**
* Callback to find if the challenge used by NTLM authentication may be
modified
@@ -117,7 +118,6 @@ struct gensec_ntlmssp_state
*
*/
NTSTATUS (*check_password)(struct gensec_ntlmssp_state *,
- TALLOC_CTX *mem_ctx,
DATA_BLOB *nt_session_key, DATA_BLOB
*lm_session_key);
const char *server_name;
diff --git a/source4/auth/ntlmssp/ntlmssp_server.c
b/source4/auth/ntlmssp/ntlmssp_server.c
index 281ffbf..c49bf2f 100644
--- a/source4/auth/ntlmssp/ntlmssp_server.c
+++ b/source4/auth/ntlmssp/ntlmssp_server.c
@@ -124,8 +124,9 @@ NTSTATUS ntlmssp_server_negotiate(struct gensec_security
*gensec_security,
DATA_BLOB struct_blob;
uint32_t neg_flags = 0;
uint32_t ntlmssp_command, chal_flags;
- const uint8_t *cryptkey;
+ uint8_t cryptkey[8];
const char *target_name;
+ NTSTATUS status;
/* parse the NTLMSSP packet */
#if 0
@@ -150,10 +151,11 @@ NTSTATUS ntlmssp_server_negotiate(struct gensec_security
*gensec_security,
ntlmssp_handle_neg_flags(gensec_ntlmssp_state, neg_flags,
gensec_ntlmssp_state->allow_lm_key);
/* Ask our caller what challenge they would like in the packet */
- cryptkey = gensec_ntlmssp_state->get_challenge(gensec_ntlmssp_state);
- if (!cryptkey) {
- DEBUG(1, ("ntlmssp_server_negotiate: backend doesn't give a
challenge\n"));
- return NT_STATUS_INTERNAL_ERROR;
+ status = gensec_ntlmssp_state->get_challenge(gensec_ntlmssp_state,
cryptkey);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("ntlmssp_server_negotiate: backend doesn't give a
challenge: %s\n",
+ nt_errstr(status)));
+ return status;
}
/* Check if we may set the challenge */
@@ -180,7 +182,6 @@ NTSTATUS ntlmssp_server_negotiate(struct gensec_security
*gensec_security,
/* This creates the 'blob' of names that appears at the end of the
packet */
if (chal_flags & NTLMSSP_NEGOTIATE_TARGET_INFO) {
char dnsdomname[MAXHOSTNAMELEN], dnsname[MAXHOSTNAMELEN];
- const char *target_name_dns = "";
/* Find out the DNS domain name */
dnsdomname[0] = '\0';
@@ -194,12 +195,6 @@ NTSTATUS ntlmssp_server_negotiate(struct gensec_security
*gensec_security,
}
strlower_m(dnsname);
- if (chal_flags |= NTLMSSP_TARGET_TYPE_DOMAIN) {
- target_name_dns = dnsdomname;
- } else if (chal_flags |= NTLMSSP_TARGET_TYPE_SERVER) {
- target_name_dns = dnsname;
- }
-
msrpc_gen(out_mem_ctx,
&struct_blob, "aaaaa",
MsvAvNbDomainName, target_name,
@@ -268,6 +263,7 @@ static NTSTATUS ntlmssp_server_preauth(struct
gensec_ntlmssp_state *gensec_ntlms
}
/* zero these out */
+ data_blob_free(&gensec_ntlmssp_state->session_key);
data_blob_free(&gensec_ntlmssp_state->lm_resp);
data_blob_free(&gensec_ntlmssp_state->nt_resp);
data_blob_free(&gensec_ntlmssp_state->encrypted_session_key);
@@ -406,6 +402,11 @@ static NTSTATUS ntlmssp_server_postauth(struct
gensec_security *gensec_security,
NTSTATUS nt_status;
DATA_BLOB session_key = data_blob(NULL, 0);
+ if (!(gensec_security->want_features
+ &
(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL|GENSEC_FEATURE_SESSION_KEY))) {
+ return NT_STATUS_OK;
+ }
+
if (user_session_key)
dump_data_pw("USER session key:\n", user_session_key->data,
user_session_key->length);
@@ -548,20 +549,15 @@ NTSTATUS ntlmssp_server_auth(struct gensec_security
*gensec_security,
const DATA_BLOB in, DATA_BLOB *out)
{
struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct
gensec_ntlmssp_state *)gensec_security->private_data;
- DATA_BLOB user_session_key = data_blob(NULL, 0);
- DATA_BLOB lm_session_key = data_blob(NULL, 0);
+ DATA_BLOB user_session_key = data_blob_null;
+ DATA_BLOB lm_session_key = data_blob_null;
NTSTATUS nt_status;
- TALLOC_CTX *mem_ctx = talloc_new(out_mem_ctx);
- if (!mem_ctx) {
- return NT_STATUS_NO_MEMORY;
- }
-
/* zero the outbound NTLMSSP packet */
- *out = data_blob_talloc(out_mem_ctx, NULL, 0);
+ *out = data_blob_null;
- if (!NT_STATUS_IS_OK(nt_status =
ntlmssp_server_preauth(gensec_ntlmssp_state, in))) {
- talloc_free(mem_ctx);
+ nt_status = ntlmssp_server_preauth(gensec_ntlmssp_state, in);
+ if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
@@ -573,23 +569,21 @@ NTSTATUS ntlmssp_server_auth(struct gensec_security
*gensec_security,
*/
/* Finally, actually ask if the password is OK */
-
- if (!NT_STATUS_IS_OK(nt_status =
gensec_ntlmssp_state->check_password(gensec_ntlmssp_state, mem_ctx,
-
&user_session_key, &lm_session_key))) {
- talloc_free(mem_ctx);
+ nt_status = gensec_ntlmssp_state->check_password(gensec_ntlmssp_state,
+ &user_session_key,
+ &lm_session_key);
+ if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
-
- if (gensec_security->want_features
- &
(GENSEC_FEATURE_SIGN|GENSEC_FEATURE_SEAL|GENSEC_FEATURE_SESSION_KEY)) {
- nt_status = ntlmssp_server_postauth(gensec_security,
&user_session_key, &lm_session_key);
- talloc_free(mem_ctx);
+
+ nt_status = ntlmssp_server_postauth(gensec_security,
+ &user_session_key,
+ &lm_session_key);
+ if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
- } else {
- gensec_ntlmssp_state->session_key = data_blob(NULL, 0);
- talloc_free(mem_ctx);
- return NT_STATUS_OK;
}
+
+ return NT_STATUS_OK;
}
/**
@@ -597,22 +591,19 @@ NTSTATUS ntlmssp_server_auth(struct gensec_security
*gensec_security,
* @return an 8 byte random challenge
*/
-static const uint8_t *auth_ntlmssp_get_challenge(const struct
gensec_ntlmssp_state *gensec_ntlmssp_state)
+static NTSTATUS auth_ntlmssp_get_challenge(const struct gensec_ntlmssp_state
*gensec_ntlmssp_state,
+ uint8_t chal[8])
{
NTSTATUS status;
- uint8_t *chal = talloc_array(gensec_ntlmssp_state, uint8_t, 8);
- if (!chal) {
- return NULL;
- }
status =
gensec_ntlmssp_state->auth_context->get_challenge(gensec_ntlmssp_state->auth_context,
chal);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("auth_ntlmssp_get_challenge: failed to get challenge:
%s\n",
nt_errstr(status)));
- return NULL;
+ return status;
}
- return chal;
+ return NT_STATUS_OK;
}
/**
@@ -654,12 +645,13 @@ static NTSTATUS auth_ntlmssp_set_challenge(struct
gensec_ntlmssp_state *gensec_n
* Return the session keys used on the connection.
*/
-static NTSTATUS auth_ntlmssp_check_password(struct gensec_ntlmssp_state
*gensec_ntlmssp_state,
- TALLOC_CTX *mem_ctx,
- DATA_BLOB *user_session_key,
DATA_BLOB *lm_session_key)
+static NTSTATUS auth_ntlmssp_check_password(struct gensec_ntlmssp_state
*gensec_ntlmssp_state,
+ DATA_BLOB *user_session_key,
DATA_BLOB *lm_session_key)
{
NTSTATUS nt_status;
- struct auth_usersupplied_info *user_info = talloc(mem_ctx, struct
auth_usersupplied_info);
+ struct auth_usersupplied_info *user_info;
+
+ user_info = talloc(gensec_ntlmssp_state, struct auth_usersupplied_info);
if (!user_info) {
return NT_STATUS_NO_MEMORY;
}
@@ -678,31 +670,21 @@ static NTSTATUS auth_ntlmssp_check_password(struct
gensec_ntlmssp_state *gensec_
user_info->password.response.nt = gensec_ntlmssp_state->nt_resp;
user_info->password.response.nt.data = talloc_steal(user_info,
gensec_ntlmssp_state->nt_resp.data);
- nt_status =
gensec_ntlmssp_state->auth_context->check_password(gensec_ntlmssp_state->auth_context,
- mem_ctx,
-
user_info,
+ nt_status =
gensec_ntlmssp_state->auth_context->check_password(gensec_ntlmssp_state->auth_context,
+
gensec_ntlmssp_state,
+
user_info,
&gensec_ntlmssp_state->server_info);
talloc_free(user_info);
NT_STATUS_NOT_OK_RETURN(nt_status);
- talloc_steal(gensec_ntlmssp_state, gensec_ntlmssp_state->server_info);
-
if (gensec_ntlmssp_state->server_info->user_session_key.length) {
- DEBUG(10, ("Got NT session key of length %u\n",
+ DEBUG(10, ("Got NT session key of length %u\n",
(unsigned)gensec_ntlmssp_state->server_info->user_session_key.length));
- if (!talloc_reference(mem_ctx,
gensec_ntlmssp_state->server_info->user_session_key.data)) {
- return NT_STATUS_NO_MEMORY;
- }
-
*user_session_key =
gensec_ntlmssp_state->server_info->user_session_key;
}
if (gensec_ntlmssp_state->server_info->lm_session_key.length) {
- DEBUG(10, ("Got LM session key of length %u\n",
+ DEBUG(10, ("Got LM session key of length %u\n",
(unsigned)gensec_ntlmssp_state->server_info->lm_session_key.length));
- if (!talloc_reference(mem_ctx,
gensec_ntlmssp_state->server_info->lm_session_key.data)) {
- return NT_STATUS_NO_MEMORY;
- }
-
*lm_session_key =
gensec_ntlmssp_state->server_info->lm_session_key;
}
return nt_status;
--
Samba Shared Repository
